Problem with Group Policies

[Guest]

Hi There

I was wondering if anybody out there could help me. I am having a problem with some settings not being applied from a Default Domain Policy. I have 4 sites and 4 Domains in my Active Directory that are seperated by a WAN link. I have created a Default Domain Policy at the root Domain and have applied this policy via the AD Sites and Services to the other 3 Domains 1 level down the tree. I have clicked the "No Overide" option to prevent the policy from being overwritten further down the tree. Whats happening is that some of the settings in the Policy like the Warning message before logging on to a domain is being applied but the Account Policies like Password settings are not. Instead the computers on the domains are picking up the default settings for the domain they are on. They are not picking up the settings set in the root domain. Can anyone suggest what i need to do to get these to work from the top level

Kind Regards.

T

 

[Derek Melber [MVP]]

You can not configure Account Policies from a Site linked GPO and have them
apply to ALL domains in the forest. The ONLY location to configure Domain
Account Policies is at the GPO linked to the domain, in each domain.

Also, it is usually not recommended to configure Site GPOs, except for rare
and unique instances.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

Hi There,

I was wondering if anybody out there could help me. I am having a problem

with some settings not being applied from a Default Domain Policy. I have 4
sites and 4 Domains in my Active Directory that are seperated by a WAN link.
I have created a Default Domain Policy at the root Domain and have applied
this policy via the AD Sites and Services to the other 3 Domains 1 level
down the tree. I have clicked the "No Overide" option to prevent the policy
from being overwritten further down the tree. Whats happening is that some
of the settings in the Policy like the Warning message before logging on to
a domain is being applied but the Account Policies like Password settings
are not. Instead the computers on the domains are picking up the default
settings for the domain they are on. They are not picking up the settings
set in the root domain. Can anyone suggest what i need to do to get these to
work from the top level.

 

[Derek Melber [MVP]]

Tony,

you are right in saying that the Account POlicies are the key portion of the
GPO that can't be done at the site level, and only can be done at the domain
level. Most of the other computer configuration settings will propagate from
the site level with no problem.

As long as you have only set up the Account Policies in the GPO linked to
the site, you can just unlink the GPO from the site and you are done with
that step. As for setting up the Account Policies at each domain, I highly
recommend just configuring the Default Domain Policy in each domain.

hope this helps

--
Derek Melber
BrainCore.Net
(e-mail address removed)

Hi Derek,

Would i be right in saying that some parts of the site policy will

propogate, but Account policies do not travel as they should be set on a per
domain basis?. I think we will resort to having 1 seperate GPO for each
domain and remove the Site GPO. Is there any set way i should go about doing
this or is it as simple as removing the link in the Ad Sites and Services
tool and then setting the policy settings on each of the 4 Domains
separately.